If you see an error opening the signing key file, it's possible that the person who ran keystone-manage pki_setup to generate certificates and keys isn't using the correct user. When you run keystone-manage pki_setup, the Identity Service generates a set of certificates and keys in /etc/keystone/ssl*, which is owned by root:root. This creates a problem when you try to run the Identity Service daemon under the 'keystone' user account (nologin) when trying to run PKI. Unless you manually chown the files keystone:keystone or run keystone-manage pki_setup with --keystone-user and --keystone-group, you'll get an error like this: 2012-07-31 11:10:53 ERROR [keystone.common.cms] Error opening signing key file /etc/keystone/ssl/private/signing_key.pem 140380567730016:error:0200100D:system library:fopen:Permission denied:bss_file.c:398:fopen('/etc/keystone/ssl/private/signing_key.pem','r') 140380567730016:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400: unable to load signing key file